b'\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\n\n\n                                  KPMG LLP\n                                  2001 M Street, NW\n\n                                  Washington, DC 20036 \n\n\n\n\n\n                                     Independent Auditors\xe2\x80\x99 Report\n\xc2\xa0\nSecretary and Inspector General\nU.S. Department of Labor:\n\nWe have audited the accompanying consolidated balance sheets of the U.S. Department of Labor (DOL) as of\nSeptember 30, 2009 and 2008; the related consolidated statements of net cost and changes in net position, and\ncombined statements of budgetary resources for the years then ended; and the statements of social insurance as of\nSeptember 30, 2009, 2008, 2007, and 2006 (hereinafter referred to as \xe2\x80\x9cconsolidated financial statements\xe2\x80\x9d). The\nobjective of our audits was to express an opinion on the fair presentation of these consolidated financial statements.\nIn connection with our fiscal year 2009 audit, we also considered DOL\xe2\x80\x99s internal control over financial reporting and\ntested DOL\xe2\x80\x99s compliance with certain provisions of applicable laws, regulations, contracts, and grant agreements that\ncould have a direct and material effect on these consolidated financial statements.\n\nWe have also examined DOL\xe2\x80\x99s compliance with section 803a of the Federal Financial Management Improvement\nAct of 1996 (FFMIA) as of September 30, 2009.\n\nSUMMARY\nAs stated in our opinion on the consolidated financial statements, we concluded that DOL\xe2\x80\x99s consolidated financial\nstatements present fairly, in all material respects, the financial position of DOL as of September 30, 2009 and 2008;\nits net costs, changes in net position, and budgetary resources for the years then ended; and the financial condition of\nits social insurance program as of September 30, 2009, 2008, 2007, and 2006, in conformity with U.S. generally\naccepted accounting principles.\n\nAs discussed in our opinion on the consolidated financial statements, the statements of social insurance present the\nactuarial present value of DOL\xe2\x80\x99s future expenditures to be paid to or on behalf of participants, estimated future\nincome to be received from excise taxes, and estimated expenditures for administrative costs during a projection\nperiod ending in 2040.\n\nAlso as discussed in our opinion on the consolidated financial statements, in fiscal year 2009, DOL adopted new\naccounting and reporting requirements for fiduciary activities and changed the presentation of its statements of social\ninsurance.\n\nOur consideration of internal control over financial reporting resulted in identifying certain deficiencies that we\nconsider to be significant deficiencies, as follows:\n\n    1.   Lack of Adequate Controls over Access to Key Financial and Support Systems\n\n    2. Weakness Noted over Payroll Accounting\n\n    3. Lack of Segregation of Duties over Journal Entries\n\n    4. Lack of Sufficient Controls over Financial Statement Preparation\n\n\n                                         KPMG LLP, a U.S. limited liability partnership, is the U.S.\n                                         member firm of KPMG International, a Swiss cooperative.\n\n\n\n\n                                                                                                       FY\xc2\xa02009\xc2\xa0Performance\xc2\xa0and\xc2\xa0Accountability\xc2\xa0Report\xc2\xa0\xc2\xa0\xc2\xa0151\n\x0cFinancial\xc2\xa0Section\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\n\n\n\nWe did not identify any deficiencies in internal control over financial reporting that we consider to be material\nweaknesses as defined in the Internal Control over Financial Reporting section of this report.\n\nThe results of our tests of compliance with certain provisions of laws, regulations, contracts, and grant agreements\ndisclosed no instances of noncompliance and one other matter that are required to be reported herein under\nGovernment Auditing Standards and Office of Management and Budget (OMB) Bulletin No. 07-04, Audit\nRequirements for Federal Financial Statements, as amended.\n\nAs stated in our opinion on DOL\xe2\x80\x99s compliance with FFMIA, we concluded that DOL complied, in all material\nrespects, with the requirements of FFMIA as of September 30, 2009.\n\nThe following sections discuss our opinion on DOL\xe2\x80\x99s consolidated financial statements; our consideration of DOL\xe2\x80\x99s\ninternal control over financial reporting; our tests of DOL\xe2\x80\x99s compliance with certain provisions of applicable laws,\nregulations, contracts, and grant agreements; and management\xe2\x80\x99s and our responsibilities.\n\nOPINION ON THE FINANCIAL STATEMENTS\nWe have audited the accompanying consolidated balance sheets of the U.S. Department of Labor as of September 30,\n2009 and 2008; the related consolidated statements of net cost and changes in net position, and the combined\nstatements of budgetary resources for the years then ended; and the statements of social insurance as of September\n30, 2009, 2008, 2007, and 2006. The accompanying statement of social insurance as of September 30, 2005 was not\naudited by us and, accordingly, we do not express an opinion on it.\n\nIn our opinion, the consolidated financial statements referred to above present fairly, in all material respects, the\nfinancial position of the U.S. Department of Labor as of September 30, 2009 and 2008; its net costs, changes in net\nposition, and budgetary resources for the years then ended; and the financial condition of its social insurance program\nas of September 30, 2009, 2008, 2007, and 2006, in conformity with U.S. generally accepted accounting principles.\n\nAs discussed in Note 1-W to the consolidated financial statements, the statements of social insurance present the\nactuarial present value of DOL\xe2\x80\x99s future expenditures to be paid to or on behalf of participants, estimated future\nincome to be received from excise taxes, and estimated expenditures for administrative costs during a projection\nperiod ending in 2040. In preparing the statements of social insurance, management considers and selects\nassumptions and data that it believes provide a reasonable basis for the assertions in the statements. However,\nbecause of the large number of factors that affect the statement of social insurance and the fact that future events and\ncircumstances can not be known with certainty, there will be differences between the estimates in the statement of\nsocial insurance and the actual results, and those differences may be material.\n\nAlso as discussed in Note 1-B to the consolidated financial statements, DOL changed its method of reporting\nfiduciary activities to adopt the provisions of the Federal Accounting Standards Advisory Board\xe2\x80\x99s Statement of\nFederal Financial Accounting Standards (SFFAS) No. 31, Accounting for Fiduciary Activities, effective October 1,\n2008.\n\nAlso as discussed in Note 1-W to the consolidated financial statements, in fiscal year 2009, DOL changed the\npresentation of its statements of social insurance to remove estimated interest payments from the statements. DOL\nrevised its fiscal years 2005 through 2008 consolidated financial statements to conform to this fiscal year 2009\npresentation.\n\nThe information in the Management\xe2\x80\x99s Discussion and Analysis, Required Supplementary Information, and Required\nSupplementary Stewardship Information sections is not a required part of the consolidated financial statements, but is\n\n\n152\xc2\xa0\xc2\xa0\xc2\xa0United\xc2\xa0States\xc2\xa0Department\xc2\xa0of\xc2\xa0Labor\xc2\xa0\n\x0c                                                                                           Independent\xc2\xa0Auditors\xe2\x80\x99\xc2\xa0Report\xc2\xa0\n                                                                                                                       \xc2\xa0\n                                                                                                                       \xc2\xa0\n                                                                                                                       \xc2\xa0\n                                                                                                                       \xc2\xa0\n\xc2\xa0\n\n\n\n\nsupplementary information required by U.S. generally accepted accounting principles. We have applied certain\nlimited procedures, which consisted principally of inquiries of management regarding the methods of measurement\nand presentation of this information. However, we did not audit this information and, accordingly, we express no\nopinion on it.\n\nThe information in the Secretary\xe2\x80\x99s Message, Performance Section, and Other Accompanying Information are\npresented for purposes of additional analysis and are not required as part of the consolidated financial statements.\nThis information has not been subjected to auditing procedures and, accordingly, we express no opinion on it.\n\nINTERNAL CONTROL OVER FINANCIAL REPORTING\nOur consideration of the internal control over financial reporting was for the limited purpose described in the\nResponsibilities section of this report and was not designed to identify all deficiencies in the internal control over\nfinancial reporting that might be deficiencies, significant deficiencies, or material weaknesses.\n\nA deficiency in internal control exists when the design or operation of a control does not allow management or\nemployees, in the normal course of performing their assigned functions, to prevent, or detect and correct\nmisstatements on a timely basis. A significant deficiency is a deficiency, or a combination of deficiencies, in internal\ncontrol that is less severe than a material weakness, yet important enough to merit attention by those charged with\ngovernance. A material weakness is a deficiency, or combination of deficiencies, in internal control, such that there is\na reasonable possibility that a material misstatement of the entity\xe2\x80\x99s financial statements will not be prevented, or\ndetected and corrected on a timely basis.\n\nIn our fiscal year 2009 audit, we did not identify any deficiencies in internal control over financial reporting that we\nconsider to be material weaknesses as defined above. However, we identified certain deficiencies in internal control\nover financial reporting that we consider to be significant deficiencies and that are described in Exhibit I.\n\nWe noted certain additional matters that we will report to management of DOL in a separate letter.\n\nCOMPLIANCE AND OTHER MATTERS\n\nThe results of our tests of compliance described in the Responsibilities section of this report, exclusive of those\nreferred to in FFMIA, disclosed no instances of noncompliance that are required to be reported herein under\nGovernment Auditing Standards or OMB Bulletin No. 07-04, as amended.\n\nOther Matters. DOL is currently reviewing one incident regarding a potential violation of the Anti-deficiency Act. As\nof the date of this report, no final noncompliance determination has been made.\n\nWe noted certain additional matters that we will report to management of DOL in a separate letter.\n\nOPINION ON COMPLIANCE WITH FFMIA\n\nDOL represented that, in accordance with the provisions and requirements of FFMIA, the Secretary of Labor\ndetermined that the DOL\xe2\x80\x99s financial management systems are in substantial compliance with FFMIA.\n\nWe have examined the U.S. Department of Labor\xe2\x80\x99s compliance with section 803a of the Federal Financial\nManagement Improvement Act of 1996 as of September 30, 2009. Under section 803a of FFMIA, the U.S.\nDepartment of Labor\xe2\x80\x99s financial management systems are required to substantially comply with (1) Federal financial\nmanagement systems requirements, (2) applicable Federal accounting standards, and (3) the United States\n\n\n\n                                                                     FY\xc2\xa02009\xc2\xa0Performance\xc2\xa0and\xc2\xa0Accountability\xc2\xa0Report\xc2\xa0\xc2\xa0\xc2\xa0153\n\x0cFinancial\xc2\xa0Section\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\n\n\n\nGovernment Standard General Ledger at the transaction level. We used OMB\xe2\x80\x99s Revised Implementation Guidance\nfor the Federal Financial Management Improvement Act, dated January 4, 2001, to determine compliance.\n\nIn our opinion, the U.S. Department of Labor complied, in all material respects, with the aforementioned\nrequirements as of September 30, 2009.\n\nRESPONSIBILITIES\n\nManagement\xe2\x80\x99s Responsibilities. Management is responsible for the consolidated financial statements; establishing\nand maintaining effective internal control; and complying with laws, regulations, contracts, and grant agreements\napplicable to DOL.\n\nAuditors\xe2\x80\x99 Responsibilities. Our responsibility is to express an opinion on the fiscal year 2009 and 2008 consolidated\nfinancial statements of DOL based on our audits. We conducted our audits in accordance with auditing standards\ngenerally accepted in the United States of America; the standards applicable to financial audits contained in\nGovernment Auditing Standards, issued by the Comptroller General of the United States; and OMB Bulletin No. 07-\n04, as amended. Those standards and OMB Bulletin No. 07-04, as amended, require that we plan and perform the\naudits to obtain reasonable assurance about whether the consolidated financial statements are free of material\nmisstatement. An audit includes consideration of internal control over financial reporting as a basis for designing\naudit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the\neffectiveness of DOL\xe2\x80\x99s internal control over financial reporting. Accordingly, we express no such opinion.\n\nAn audit also includes:\n\n\xe2\x80\xa2\t     Examining, on a test basis, evidence supporting the amounts and disclosures in the consolidated financial\n       statements;\n\xe2\x80\xa2\t     Assessing the accounting principles used and significant estimates made by management; and\n\xe2\x80\xa2\t     Evaluating the overall consolidated financial statement presentation.\nWe believe that our audits provide a reasonable basis for our opinion.\n\nIn planning and performing our fiscal year 2009 audit, we considered DOL\xe2\x80\x99s internal control over financial reporting\nby obtaining an understanding of DOL\xe2\x80\x99s internal control, determining whether internal controls had been placed in\noperation, assessing control risk, and performing tests of controls as a basis for designing our auditing procedures for\nthe purpose of expressing our opinion on the consolidated financial statements. We did not test all controls relevant\nto operating objectives as broadly defined by the Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982. The objective\nof our audit was not to express an opinion on the effectiveness of DOL\xe2\x80\x99s internal control over financial reporting.\nAccordingly, we do not express an opinion on the effectiveness of DOL\xe2\x80\x99s internal control over financial reporting.\n\nAs part of obtaining reasonable assurance about whether DOL\xe2\x80\x99s fiscal year 2009 consolidated financial statements\nare free of material misstatement, we performed tests of DOL\xe2\x80\x99s compliance with certain provisions of laws,\nregulations, contracts, and grant agreements, noncompliance with which could have a direct and material effect on\nthe determination of the consolidated financial statement amounts, and certain provisions of other laws and\nregulations specified in OMB Bulletin No. 07-04, as amended. We limited our tests of compliance to the provisions\ndescribed in the preceding sentence, and we did not test compliance with all laws, regulations, contracts, and grant\nagreements applicable to DOL. However, providing an opinion on compliance with laws, regulations, contracts, and\ngrant agreements was not an objective of our audit and, accordingly, we do not express such an opinion.\n\n\n\n154\xc2\xa0\xc2\xa0\xc2\xa0United\xc2\xa0States\xc2\xa0Department\xc2\xa0of\xc2\xa0Labor\xc2\xa0\n\x0c                                                                                        Independent\xc2\xa0Auditors\xe2\x80\x99\xc2\xa0Report\xc2\xa0\n                                                                                                                    \xc2\xa0\n                                                                                                                    \xc2\xa0\n                                                                                                                    \xc2\xa0\n                                                                                                                    \xc2\xa0\n\xc2\xa0\n\n\n\n\nOur responsibility also included expressing an opinion on DOL\xe2\x80\x99s compliance with FFMIA section 803a requirements\nas of September 30, 2009, based on our examination. Our examination was conducted in accordance with attestation\nstandards established by the American Institute of Certified Public Accountants and the standards applicable to\nattestation engagements contained in Government Auditing Standards issued by the Comptroller General of the\nUnited States, and accordingly, included examining, on a test basis, evidence about DOL\xe2\x80\x99s compliance with the\nrequirements of FFMIA section 803a and performing such other procedures as we considered necessary in the\ncircumstances. We believe that our examination provides a reasonable basis for our opinion. Our examination does\nnot provide a legal determination on DOL\xe2\x80\x99s compliance with specified requirements.\n\n                                      ______________________________\n\nDOL\xe2\x80\x99s response to the findings identified in our audit is presented in Exhibit I. We did not audit DOL\xe2\x80\x99s response\nand, accordingly, we express no opinion on it.\n\nThis report is intended solely for the information and use of DOL\xe2\x80\x99s management, DOL\xe2\x80\x99s Office of Inspector General,\nOMB, the U.S. Government Accountability Office, and the U.S. Congress and is not intended to be and should not be\nused by anyone other than these specified parties.\n\n\n\n\nNovember 15, 2009\xc2\xa0\n\n\n\n\n                                                                  FY\xc2\xa02009\xc2\xa0Performance\xc2\xa0and\xc2\xa0Accountability\xc2\xa0Report\xc2\xa0\xc2\xa0\xc2\xa0155\n\x0cFinancial\xc2\xa0Section\xc2\xa0\n\xc2\xa0\nSignificant\xc2\xa0Deficiencies\xc2\xa0\nExhibit\xc2\xa0I\xc2\xa0\n\xc2\xa0\n\n1.\t Lack of Adequate Controls over Access to Key Financial and Support Systems\n\n    In fiscal years (FY) 2006 through 2008, we reported a significant deficiency relating to the lack of adequate\n    controls over access to key financial and support systems.\n\n    We recommended that management:\n\n    \xe2\x80\xa2\t Identify key financial information technology (IT) controls and incorporate them into the U.S. Department of\n       Labor\xe2\x80\x99s (DOL) internal control and Office of Management and Budget (OMB) Circular No. A-123 testing\n       process, to ensure that these controls are documented and operating effectively during the year.\n\n    \xe2\x80\xa2\t Coordinate efforts among the DOL agencies to develop and/or enforce procedures and controls to address\n       access control weaknesses in current financial management systems.\n\n    During the FY 2008 audit, we noted that while DOL identified and tested key IT controls as part of its OMB\n    Circular No. A-123 testing process, certain parts of the testing were performed concurrently with our IT testing\n    and were not completed in time for us to assess the adequacy of the process. During our FY 2009 audit, we noted\n    that DOL continued to identify and test key IT controls as part of its OMB Circular No. A-123 testing process,\n    including follow-up on certain prior year IT findings and testing of the design and operating effectiveness of\n    certain key current year controls during the year. Additionally, DOL provided the OMB Circular No. A-123\n    testing results timely throughout the year.\n\n    In response to the second recommendation, we noted that the Office of the Chief Information Officer (OCIO)\n    updated Volume 1, Access Controls, of the DOL Computer Security Handbook in December 2008 and in May\n    2009. The updates to this volume required agencies to be compliant with the latest standards set forth by the\n    National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Recommended Security\n    Controls for Federal Systems.\n\n    However, we noted that 25 prior year findings related to access controls have not been corrected (4 in the Office\n    of the Chief Financial Officer (OCFO), 9 in the Employment and Training Administration (ETA), 3 in the Office\n    of the Assistant Secretary for Administration and Management (OASAM), and 9 in the Employment Standards\n    Administration (ESA)). Additionally, we noted two prior year findings that were not corrected until the third and\n    fourth quarters of FY 2009 (1 in ETA and 1 ESA). In FY 2009, we identified access control weaknesses that\n    resulted in 11 new findings (1 in OCFO, 7 in ETA, 1 in OASAM, and 2 in ESA). Additionally, we issued one\n    new finding that was subsequently corrected in the third quarter of FY 2009 (in ESA). The specific nature of\n    these weaknesses, their causes, and the systems impacted by them has been communicated separately to\n    management.\n\n    In summary, we noted issues with account management, configuration management, and review of system audit\n    logs in our FY 2009 testing of DOL\xe2\x80\x99s IT systems. While these issues are less severe than a material weakness,\n    we determined that they are important enough to merit attention by those charged with governance. As such, we\n    believe that these new weaknesses and the uncorrected prior year control weaknesses represent a significant\n    deficiency over access to key financial and support systems. Specifically, the following control weaknesses were\n    present in one or more financial systems across various DOL agencies.\n\n    \xe2\x80\xa2 Account Management\n\n         \xe2\x80\xa2\t Account management controls were not performed, such as incomplete or missing access request,\n            modification, and termination forms;\n         \xe2\x80\xa2\t User accounts are not timely removed for separated users;\n\n\n156\xc2\xa0\xc2\xa0\xc2\xa0United\xc2\xa0States\xc2\xa0Department\xc2\xa0of\xc2\xa0Labor\xc2\xa0\n\x0c                                                                                    Independent\xc2\xa0Auditors\xe2\x80\x99\xc2\xa0Report\xc2\xa0\n                                                                                                                   \xc2\xa0\n                                                                                          Significant\xc2\xa0Deficiencies\xc2\xa0\n                                                                                                          Exhibit\xc2\xa0I\xc2\xa0\n                                                                                                                   \xc2\xa0\n                                                                                                                   \xc2\xa0\n   \xe2\x80\xa2\t Periodic user account reviews or re-certifications were not performed;\n   \xe2\x80\xa2\t Generic accounts existed on a system without a proper business justification for approximately half of\n      the fiscal year;\n   \xe2\x80\xa2\t Access authorization, modification, termination, recertification, and periodic reviews of data center\n      access were not consistent with policies; and\n   \xe2\x80\xa2\t Certain terminated personnel had active system accounts, and in some cases, terminated employees\n      accessed systems after their termination date.\n\n\xe2\x80\xa2 Configuration Management\n\n   \xe2\x80\xa2\t Technical security standards and policies need to be updated and implemented to include stronger logical\n      access security controls. Specifically, patches were not applied to systems in a timely manner;\n      unnecessary services were not disabled; and access to sensitive files, directories, or software was not\n      restricted;\n   \xe2\x80\xa2\t Production servers were not configured in accordance with baseline configurations or to the most\n      appropriate settings;\n   \xe2\x80\xa2\t Password settings do not comply with the DOL Computer Security Handbook;\n   \xe2\x80\xa2\t Inactive accounts were not disabled or deleted in a timely manner; and\n   \xe2\x80\xa2\t Certain human resources personnel had access to create and approve personnel action requests on their\n      own.\n\n\xe2\x80\xa2 Review of System Audit Logs\n\n   \xe2\x80\xa2\t Audit logs monitoring user and administrator activity, changes to security profiles, remote access logs,\n      access to sensitive directories, and failed login attempts are not reviewed, or documentation of audit log\n      reviews was not maintained;\n   \xe2\x80\xa2\t Audit log review procedures were not documented and finalized;\n   \xe2\x80\xa2\t Audit logs were not secured against editing by system administrators; and\n   \xe2\x80\xa2\t Application-level audit logs (e.g., significant transactions and changes to sensitive tables) were not\n      proactively reviewed.\n\n   These findings are a result of issues in the implementation and monitoring of Departmental procedures and\n   controls. While the DOL agencies closed 17 prior year access control findings, they have not invested the\n   necessary level of effort and resources to ensure that policies and procedures are designed and operating\n   effectively. These access control weaknesses could result in users with inappropriate access to financial\n   systems; inefficient processes; lack of completeness, accuracy, or integrity of financial data; and/or\n   undetected unusual activity within financial systems.\n\n   Based on these facts noted as part of our FY 2009 audit, we consider the recommendation related to testing\n   key financial IT controls as part of the OMB Circular No. A-123 testing process closed. However, we\n   consider the recommendation related to coordinating efforts among the DOL agencies to develop and/or\n   enforce procedures and controls to address access control weaknesses in current financial management\n   systems unresolved. To close this recommendation, the Chief Information Officer should (a) coordinate\n   efforts among the DOL agencies to develop procedures and controls to address access control weaknesses in\n   current financial management systems, (b) monitor the agencies\xe2\x80\x99 progress to ensure that procedures and\n   controls are appropriately implemented and maintained, and (c) ensure that sufficient resources are available\n   to develop, implement, and monitor the procedures and controls that address access control weaknesses.\n\n\n\n\n                                                              FY\xc2\xa02009\xc2\xa0Performance\xc2\xa0and\xc2\xa0Accountability\xc2\xa0Report\xc2\xa0\xc2\xa0\xc2\xa0157\n\x0cFinancial\xc2\xa0Section\xc2\xa0\n\xc2\xa0\nSignificant\xc2\xa0Deficiencies\xc2\xa0\nExhibit\xc2\xa0I\xc2\xa0\n\xc2\xa0\n\n\n    Management\xe2\x80\x99s Response: The Office of the Assistant Secretary for Administration and Management (OASAM)\n    does not concur with this determination. DOL management asserts DOL policies, procedures and standards for\n    management, operational, and technical controls are adequate and collectively provide compound safeguards and\n    redundant security measures to ensure the integrity of DOL financial systems. Further, the controls inherent to\n    specific applications are sufficiently designed and effective to prevent or detect any unauthorized access to DOL\n    financial systems.\n\n    The report, as presented, does not adequately represent the operating environments of the systems audited, nor\n    does it accurately relay the risk associated with the identified vulnerabilities. In general, risk levels are inflated\n    based on the nature of the weaknesses noted. For example, an account which is disabled, but not deleted, does\n    not represent a high risk as portrayed in the audit review. A disabled account does not permit unauthorized access\n    to a system. Additionally, the findings do not represent a systemic deficiency which, when taken in aggregate,\n    could adversely impact financial business processing.\n\n    As mentioned in the FY 2008 management response to this issue, a Department-wide comprehensive strategy\n    was established to address the identified conditions. The following milestones were achieved in FY 2009:\n    \xe2\x80\xa2\t Revised access control policy to strengthen account management procedures by requiring agencies to\n        conduct semiannual account reviews;\n    \xe2\x80\xa2\t Developed FY 2009 Security Testing and Evaluation plan that included access control and configuration\n        management focused quarterly reviews; and\n    \xe2\x80\xa2\t Implemented automated configuration management tool, Secure Elements C5, to measure agency\n        compliance with configuration management requirements.\n\n    The implemented strategy above attests to management\xe2\x80\x99s serious commitment to safeguard DOL information and\n    information systems. In FY 2010, management will continue to deploy processes and procedures aimed at\n    enhancing and strengthening the overall security posture of DOL\xe2\x80\x99s computer security program.\n\n    Auditor Response: The details of our FY 2009 IT findings and recommendations were provided to DOL\n    management through the established Notification of Findings and Recommendations process. While we did not\n    identify any individual finding as a significant deficiency, we evaluated the combination of certain findings, in\n    accordance with auditing standards generally accepted in the United States of America, to conclude that a\n    significant deficiency does exist, taking into consideration that certain findings, when assessed in aggregate,\n    identified deficiencies in both detective and preventive access controls related to one or more financial systems.\n    Although management stated that they do not concur with our recommendations, they plan on taking steps to\n    address them. Therefore, these recommendations are considered resolved and open. FY 2010 audit procedures\n    will determine whether these recommendations have been adequately addressed and can be considered closed.\n\n2.\t Weakness Noted over Payroll Accounting\n\n    During FYs 2006 through 2009, DOL used the U.S. Department of Agriculture\xe2\x80\x99s (USDA) Office of Chief\n    Financial Officer (OCFO)/National Finance Center (NFC) to process its payroll. For each pay period, DOL\n    submitted to the NFC payroll information that included all DOL employees for the period, along with their hours\n    worked, leave used, and other payroll related information for the period. The NFC processed the payroll for DOL\n    each period and made available for download a Detail Pay and Deduct Register report for each DOL Human\n    Resources office.\n\n    In FY 2006, we noted that DOL did not utilize the Detail Pay and Deduct Register reports to perform reviews or\n    reconciliations of data processed by the NFC, and no other controls were in place during the year to ensure that\n    the information that was submitted to NFC via Time and Attendance records was reconciled to what was shown\n    as paid in the Detail Pay and Deduct Register.\n\n158\xc2\xa0\xc2\xa0\xc2\xa0United\xc2\xa0States\xc2\xa0Department\xc2\xa0of\xc2\xa0Labor\xc2\xa0\n\x0c                                                                                          Independent\xc2\xa0Auditors\xe2\x80\x99\xc2\xa0Report\xc2\xa0\n                                                                                                                         \xc2\xa0\n                                                                                                Significant\xc2\xa0Deficiencies\xc2\xa0\n                                                                                                                Exhibit\xc2\xa0I\xc2\xa0\n                                                                                                                         \xc2\xa0\n                                                                                                                         \xc2\xa0\nWe recommended that management develop and implement policies and procedures to reconcile payroll\ninformation provided to the NFC to the payroll information processed by the NFC each pay period. These\nreconciliations should be documented, reviewed, approved by an appropriate supervisor, and maintained.\n\nAs part of DOL\xe2\x80\x99s corrective action plan for FY 2007, the OCFO\xe2\x80\x99s PeoplePower Task Force created a Time and\nAttendance Reconciliation Report, and the DOL OCFO issued policies and procedures that stated that each DOL\nHuman Resource office should review the Time and Attendance Reconciliation Reports each pay period and\nresearch and resolve differences identified. No offices that we tested in FY 2007 complied with the new OCFO\nprocedures, but two offices that we tested performed their own reconciliation procedures.\n\nDuring FY 2008, the OCFO issued revised policies and procedures dated October 23, 2007, requiring a review of\nthe Time and Attendance Reconciliation Reports, and implemented these policies and procedures. The OCFO\nalso performed monitoring department-wide to ensure that the reviews were completed, documented, and\napproved by an appropriate supervisor, and maintained. However, we noted that the reconciliation tested from\nthe Atlanta processing center did not contain a signature to validate the review. In addition, the Time and\nAttendance Reconciliation Reports do not contain a space for the date of the review; therefore, the timeliness of\nthe reconciliations and certifications was not verifiable.\n\nThe policies and procedures issued and the related reviews and audits appeared to reconcile and certify time and\nattendance records only. When we requested supporting documentation for the reviews of other NFC inputs and\noutputs (e.g., Gross Pay and Benefit Withholdings), we noted that the five agencies selected for FY 2008\ntestwork were able to provide the Detail Pay and Deduct Register report; however, the agencies could not\nprovide evidence of review or recalculations of payroll-related items other than time and attendance. Therefore,\nwe could not conclude that such reviews and recalculations were completed.\n\nIn FY 2009, DOL issued revised policies and procedures with an effective date of July 24, 2009, to provide\nguidance on the need for agencies to review payroll-related items other than time and attendance records. In\naddition to the revised policies issued, OCFO management has represented that they have also implemented a\nprocedure to monitor the completion of the reviews of payroll-related items other than time and attendance. Since\nthe revised policies and procedures were not effective until the last quarter of FY 2009, our testwork focused on\nthe time and attendance reconciliation policies that were effective for the first three quarters (i.e., the majority) of\nFY 2009, and we did not test the revised procedures implemented in July 2009.\n\nWe selected a sample of 8 time and attendance reconciliations from various agencies, none of which were\nprovided to us. We also noted that the OCFO had requested 38 sample items from the Human Resource offices to\nmonitor compliance with policies and procedures. The OCFO only received 6 of the 38 sample items requested.\nAs a result, we noted that insufficient evidence exists to determine that the preparation and review of payroll-\nrelated items, including time and attendance, were completed.\n\nThe lack of compensating reconciliation controls around the NFC compensation outputs increases the risk that\npayroll-related line items may be misstated due to errors in payroll processing by NFC.\n\nFederal agencies that use external service providers, such as the NFC, should have controls in place to ensure the\naccuracy of processing outputs. As stated by the USDA OIG in its FY 2009 Report No. 11401-30-FM, \xe2\x80\x9cThe\naccuracy and reliability of data processed by NFC and the resultant reports ultimately rests with the customer\nagency and any compensating controls implemented by such agencies.\xe2\x80\x9d\n\nOMB Circular No. 123, Management\xe2\x80\x99s Responsibility for Internal Control, states, \xe2\x80\x9cApplication control should be\ndesigned to ensure that transactions are properly authorized and processed accurately and that the data is valid\nand complete. Controls should be established at an application\xe2\x80\x99s interfaces to verify inputs and outputs, such as\nedit checks.\xe2\x80\x9d\n\n\n\n                                                                   FY\xc2\xa02009\xc2\xa0Performance\xc2\xa0and\xc2\xa0Accountability\xc2\xa0Report\xc2\xa0\xc2\xa0\xc2\xa0159\n\x0cFinancial\xc2\xa0Section\xc2\xa0\n\xc2\xa0\nSignificant\xc2\xa0Deficiencies\xc2\xa0\nExhibit\xc2\xa0I\xc2\xa0\n\xc2\xa0\n\n    Additionally, per the Government Accountability Office\xe2\x80\x99s (GAO) Standards for Internal Control in the Federal\n    Government, \xe2\x80\x9cInternal control should generally be designed to assure that ongoing monitoring occurs in the\n    course of normal operations. It is performed continually and is ingrained in the agency\xe2\x80\x99s operations. It includes\n    regular management and supervisory activities, comparisons, reconciliations, and other actions people take in\n    performing their duties.\xe2\x80\x9d\n\n    Based on our FY 2009 audit results, we consider the recommendation we made in FY 2006 as resolved and\n    open. To close this recommendation in the future, the DOL OCFO should (a) ensure that Human Resource\n    offices are reconciling all payroll information, not only time and attendance records, provided to the NFC to the\n    payroll information processed by the NFC for each pay period and (b) ensure that these reconciliations are\n    documented, reviewed, and approved by an appropriate supervisor, and maintained.\n\n    Management\xe2\x80\x99s Response: Over the past two years, management has made considerable progress in the area of\n    payroll processing. First, we implemented policies and procedures requiring reconciliation of time and\n    attendance data. We also implemented procedures to reconcile payroll data provided by the National Finance\n    Center (NFC) to that recorded in DOLAR$, another critical reconciliation of payroll information. In FY 2009,\n    OCFO modified a payroll exception report developed in prior years, the Payroll/Time & Attendance\n    Reconciliation Report. This report was improved in that it now lists both input and output discrepancies noted for\n    each payroll period. The report is distributed to each Human Resources Office (HRO) on the Monday following\n    each pay period. OCFO procedures require the HROs to review all discrepancies listed on the reports and\n    complete a certification by the second Friday after each pay period. The certifications require signatures of the\n    preparer and an HR supervisor, and discrepancies are required to be resolved by the end of the following pay\n    period.\n\n    In July 2009, OCFO initiated procedures to monitor HRO compliance with the new certification process. OCFO\n    performed independent reviews for a sample of the certifications, ensuring that the certification forms were\n    properly completed, approved, and included all information listed on the reconciliation reports. OCFO reviews\n    also included a determination as to whether reported discrepancies were subsequently resolved and corrected.\n    Since the implementation of these procedures, OCFO has been successful in ensuring that HROs are completing\n    and documenting the reconciliations in a timely fashion. We believe that the recommendations made by the\n    auditors are fully resolved, and anticipate closure of this finding in the FY 2010 audit.\n\n    Auditor Response: As indicated above, DOL could not provide supporting documentation for any of the\n    reconciliations we selected for our testing. However, since management addressed our recommendations by\n    implementing additional procedures during the last quarter of FY 2009, we consider these recommendations\n    resolved and open. FY 2010 audit procedures will determine whether these recommendations have been\n    adequately addressed and can be considered closed.\n\n3. Lack of Segregation of Duties over Journal Entries\n\n    During the FY 2006 audit, we noted that accounting staff from all DOL agencies were able to prepare and enter\n    journal entries into the Department of Labor Accounting and Related Systems (DOLAR$) without approval.\n    Although the OCFO had developed Department-wide manual policies and procedures designed to ensure the\n    segregation of journal entry preparation and approval authority in the second quarter of FY 2007, which was\n    revised and reissued in the second quarter of FY 2008, the same lack of supporting documentation evidencing\n    management review and approval was noted during the FYs 2007 and 2008 audits.\n\n    During the course of the FYs 2006, 2007, and 2008 audits, we issued several recommendations to the OCFO,\n    including the FY 2007 recommendation that management reconfigure DOLAR$ (and its successor system) so\n    that journal entries entered into the DOLAR$ general ledger system (and its successor system) are required to be\n    approved electronically by an individual other than the preparer before posting. We also recommended that:\n\n\n160\xc2\xa0\xc2\xa0\xc2\xa0United\xc2\xa0States\xc2\xa0Department\xc2\xa0of\xc2\xa0Labor\xc2\xa0\n\x0c                                                                                     Independent\xc2\xa0Auditors\xe2\x80\x99\xc2\xa0Report\xc2\xa0\n                                                                                                                    \xc2\xa0\n                                                                                           Significant\xc2\xa0Deficiencies\xc2\xa0\n                                                                                                           Exhibit\xc2\xa0I\xc2\xa0\n                                                                                                                    \xc2\xa0\n                                                                                                                    \xc2\xa0\n\n\xe2\x80\xa2\t Agencies implement manual compensating review controls until system controls have been implemented.\n\xe2\x80\xa2\t OCFO management monitor DOL employees\xe2\x80\x99 compliance with the Department wide-policies and\n   procedures in place for documenting the review of all journal entries.\n\xe2\x80\xa2\t OCFO management design and implement detective controls that require supervisors to periodically generate\n   and review activity reports that list all journal entries posted to DOLAR$.\n\nDuring FY 2009, we tested a sample of 622 journal entries recorded from October 1, 2008 through September\n30, 2009. For 55 of these journal entries, the OCFO did not provide support evidencing that they had been\nreviewed by a supervisor or someone other than the preparer before they were posted to DOLAR$. DOL\nmanagement indicated that 24 of the 55 exceptions noted should not be subject to the OCFO policy since they are\nrelated to recording commitments and sub-allocations and are subject to other review controls in the budget\noffice; however, no documentation was provided by the OCFO to support that these entries were reviewed by the\nbudget office staff. In addition, the OCFO written policy does not exempt these types of entries from the journal\nentry review procedures.\n\nFurthermore, we noted that 20 journal entries were posted to DOLAR$ prior to review and approval as evidenced\nby the signature on the cover sheets of the journal entries.\n\nWe also noted during our review of DOL\xe2\x80\x99s June 30, 2009 consolidated financial statements that the OCFO staff\nmade certain adjustments to the Combined Statement of Budgetary Resources (SBR) for a total of approximately\n$1.3 billion without posting these adjustments into DOLAR$ in the form of journal entries (i.e., top-side\nadjustments). No evidence existed to support that appropriate management personnel reviewed and approved\nthese adjustments. In addition, DOL\xe2\x80\x99s current policies and procedures do not specifically cover top-side\nadjustment entries.\n\nBy posting transactions and making adjustments to the consolidated financial statements without proper review\nand approval and allowing individuals the authority to prepare and approve their own transactions in DOLAR$,\nthere is an increased risk that a material error would not be prevented or detected and corrected in a timely\nmanner. In addition, there is a risk that employees are not following policies and management is unaware of their\nnon-compliance.\n\nIn addition, OCFO management represented that the New Core Financial Management System (NCFMS), to be\nimplemented in January 2010 to replace DOLAR$, will require electronic approval by someone other than the\npreparer before journal entries are posted. As a result, we were again informed that DOL does not plan to\nimplement the recommendation to reconfigure DOLAR$ so that journal entries entered into DOLAR$ are\napproved electronically by an individual other than the preparer before posting.\n\nPer GAO\xe2\x80\x99s Standards of Internal Control in the Federal Government, \xe2\x80\x9cKey duties and responsibilities need to be\ndivided or segregated among different people to reduce the risk of error or fraud. This should include separating\nthe responsibilities for authorizing transactions, processing and recording them, reviewing the transactions, and\nhandling any related assets. No one individual should control all key aspects of a transaction or event.\xe2\x80\x9d\n\nBecause management provided timeframes to implement the new general ledger system that requires electronic\napproval by someone other than the preparer before journal entries are posted, we consider the recommendation\nwe made in FY 2007 resolved and open. To close the recommendation, management must ensure that the\nNCFMS is configured, upon implementation, so that journal entries entered into it are required to be approved\nelectronically by an individual other than the preparer.\n\n\n\n\n                                                               FY\xc2\xa02009\xc2\xa0Performance\xc2\xa0and\xc2\xa0Accountability\xc2\xa0Report\xc2\xa0\xc2\xa0\xc2\xa0161\n\x0cFinancial\xc2\xa0Section\xc2\xa0\n\xc2\xa0\nSignificant\xc2\xa0Deficiencies\xc2\xa0\nExhibit\xc2\xa0I\xc2\xa0\n\xc2\xa0\n\n    Because OCFO management does not consistently monitor DOL employees\xe2\x80\x99 compliance with the OCFO policies\n    and procedures in place that require all journal entries to be properly prepared, supported, and approved before\n    posting to DOLAR$ and that proper segregation of duties is in place related to the preparation and posting of\n    journal entries, we consider the manual control recommendation made in FY 2006 as unresolved. To close this\n    recommendation, management should (a) develop and implement procedures to monitor DOL agencies to\n    determine they are in compliance with OCFO policies and procedures related to journal entries, (b) design and\n    implement detective controls that require supervisors to periodically generate and review activity reports that list\n    all journal entries posted to DOLAR$, and (c) revise the department-wide policies and procedures to require that\n    all manual entries, including top-side adjustment entries, be documented and reviewed and approved by a\n    supervisor or someone other than the preparer before the financial statements are adjusted. These controls should\n    ensure that all journal entries and top-side adjustments that are posted are appropriate, supported, and\n    documented.\n\n    Management\xe2\x80\x99s Response: With respect to existing policies and procedures over journal entries, we disagree with\n    the auditor\xe2\x80\x99s conclusion that prior year issues remain unresolved. OCFO has significantly improved the\n    documentation and approval requirements over journal entries. Additional procedures were implemented in\n    January 2009 to ensure that journal entries recorded in DOLAR$ are sufficiently reviewed and approved, and\n    that adequate segregation of duties exists over the authorization, recording, and review and approval functions.\n    During the year, OCFO conducted independent reviews of journal entries recorded by ETA, OJC, OCFO, and\n    other agencies, and provided guidance to those agencies. With the recent policy revisions and other OCFO\n    actions taken since this finding originated, we believe that OCFO has appropriate monitoring procedures in place\n    to ensure that journal entries recorded by DOL agencies are subjected to sufficient segregation of duties and\n    review and approval procedures.\n\n    We understand that many of the \xe2\x80\x9cerrors\xe2\x80\x9d described by the auditors pertain specifically to entries made by ETA to\n    record commitments and sub-allocations. The auditors contend that these transactions are recorded in DOLAR$\n    without proper review and approval or without appropriate segregation of duties. In fact, these transactions are\n    initiated and authorized by different individuals prior to being recorded in DOLAR$, and are subjected to certain\n    detective controls after recording to ensure accuracy. Commitments are recorded by the Budget Office only upon\n    receipt of an EPS-generated document that records the initial request for funds and the subsequent approval by\n    the program office. Sub-allocations are prepared by a budget analyst and are reviewed and approved by the\n    Budget Officer prior to being recorded in DOLAR$. Subsequently, ETA\xe2\x80\x99s Budget Office utilizes two reports\n    which act as detective controls to ensure the accuracy and completeness of allocations and commitments\n    recorded in DOLAR$. Since these transactions are initiated, authorized, recorded, and reviewed by different\n    individuals, we believe that the segregation of duties is intact and that existing review procedures ensure that\n    amounts recorded in DOLAR$ are accurate and complete.\n\n    With respect to the new financial system, NCFMS, the system requires that the posting and approval functions\n    for all journal entries be performed electronically and by separate individuals. All journal entries are held in\n    suspense and are not recorded until electronic approval is received from the designated supervisor.\n\n    Based on these facts, we believe that the FY 2006 recommendation should be considered resolved, and that this\n    finding does not rise to the level of a significant deficiency. At most it should be considered a management\n    advisory comment.\n\n    Auditor Response: We believe that the results of our audit procedures support our conclusion that a significant\n    deficiency exists in this area. As a result, we consider the system-related recommendation resolved and open\n    and the remaining recommendations unresolved pending completion of a corrective action plan and timeframes\n    for implementation.\n\n\n\n162\xc2\xa0\xc2\xa0\xc2\xa0United\xc2\xa0States\xc2\xa0Department\xc2\xa0of\xc2\xa0Labor\xc2\xa0\n\x0c                                                                                          Independent\xc2\xa0Auditors\xe2\x80\x99\xc2\xa0Report\xc2\xa0\n                                                                                                                         \xc2\xa0\n                                                                                                Significant\xc2\xa0Deficiencies\xc2\xa0\n                                                                                                                Exhibit\xc2\xa0I\xc2\xa0\n                                                                                                                         \xc2\xa0\n                                                                                                                         \xc2\xa0\n4.\t Lack of Sufficient Controls over Financial Statement Preparation\n\n   During our review of DOL\xe2\x80\x99s June 30, 2009 and September 30, 2009 draft consolidated financial statements, we\n   noted the following errors and omissions that were not detected by the OCFO\xe2\x80\x99s review of the draft financial\n   statements:\n   1.\t The balance of distributed offsetting receipts reported in DOL\xe2\x80\x99s SBR as of June 30, 2009 and September 30,\n       2009 was understated by $22.5 billion and $197 million, respectively.\n   2.\t Total unobligated balances available and unobligated balances not available reported in DOL\xe2\x80\x99s SBR as of\n       September 30, 2009 were misstated by $2.5 billion due to a classification error that caused this amount to be\n       reported as unobligated balances not available instead of unobligated balances available.\n   3.\t The OCFO removed estimated interest payments from the Statement of Social Insurance for fiscal year 2009\n       and revised its fiscal years 2005 through 2008 consolidated financial statements to conform to this fiscal year\n       2009 presentation. However, the OCFO did not include a footnote disclosure in DOL\xe2\x80\x99s September 30, 2009\n       draft consolidated financial statements to explain the changes made to the presentation of the statement.\n   4.\t The earned revenue reported in Note 15 of the consolidated financial statements for one of DOL\xe2\x80\x99s agencies\n       was initially overstated by $44.7 million. This intra-departmental amount was incorrectly reported as earned\n       revenue instead of a non-expenditure transfer. This error had no impact on the consolidated statements of net\n       cost because it was eliminated during consolidation.\n   5.\t Note 18D was initially incomplete as it did not include a reconciliation of distributed offsetting receipts from\n       the SBR to the Budget of the United States Government.\n   6.\t The unobligated balance available reported in Note 2 is understated by $151 million as of September 30,\n       2009. This understatement is due to a classification error that is offset by overstatements of $69 million in\n       obligated balance not yet disbursed and $82 million in unobligated balance unavailable. This classification\n       error had no impact on the total Fund Balance with Treasury reported in Note 2.\n\n   Except for condition no. 6 related to Fund Balance with Treasury, the above errors were subsequently corrected\n   by management in the final FY 2009 consolidated financial statements.\n\n   In addition, the OCFO did not complete the September 30, 2009 SBR to SF-133, Report on Budget Execution\n   and Budgetary Resources (SF-133), reconciliation and research identified differences timely. The OCFO\n   reconciliation was not completed until after the OCFO prepared two drafts of DOL\xe2\x80\x99s consolidated financial\n   statements.\n\n   Furthermore, the OCFO did not provide us a complete set of DOL\xe2\x80\x99s September 30, 2009 draft consolidated\n   financial statements and trial balances in a timely manner.\n\n   The above issues occurred because the OCFO did not perform a sufficiently detailed review of the consolidated\n   financial statements to ensure that misstatements, errors, and omissions related to the statements, notes, required\n   supplementary information, and required supplementary stewardship information were detected and corrected\n   and that the draft financial statements were submitted timely. In addition, the U.S. Department of Labor Manual\n   Series (DLMS) does not include specific guidance on the review procedures of the consolidated financial\n   statements that would guide DOL supervisors during their reviews. Specifically related to condition no. 1, OCFO\n   policy does not require the quarterly reconciliation of distributed offsetting receipts reported on DOL\xe2\x80\x99s SBR to\n   distributed offsetting receipts reported on the U.S. Department of the Treasury\xe2\x80\x99s Quarterly Distributed Offsetting\n   Receipts by Department Report. These issues resulted in the need to correct the consolidated financial statements\n   prior to final submission, causing delays in the financial reporting process.\n\n\n\n                                                                    FY\xc2\xa02009\xc2\xa0Performance\xc2\xa0and\xc2\xa0Accountability\xc2\xa0Report\xc2\xa0\xc2\xa0\xc2\xa0163\n\x0cFinancial\xc2\xa0Section\xc2\xa0\n\xc2\xa0\nSignificant\xc2\xa0Deficiencies\xc2\xa0\nExhibit\xc2\xa0I\xc2\xa0\n\xc2\xa0\n\n    U.S. Government Accountability Office\xe2\x80\x99s (GAO), Standards for Internal Control in the Federal Government\n    (Standards), states, \xe2\x80\x9cInternal control should generally be designed to assure that ongoing monitoring occurs in\n    the course of normal operations. It is performed continually and is ingrained in the agency\xe2\x80\x99s operations. It\n    includes regular management and supervisory activities, comparisons, reconciliations, and other actions people\n    take in performing their duties.\xe2\x80\x9d\n\n    Office of Management and Budget (OMB) Circular No. A-123, Management\xe2\x80\x99s Responsibility for Internal\n    Control, states \xe2\x80\x9cThe agency head must establish controls that reasonably ensure that obligations and costs are in\n    compliance with applicable laws; funds, property, and other assets are safeguarded against waste, loss,\n    unauthorized use, or misappropriation; and revenues and expenditures applicable to agency operations are\n    properly recorded and accounted for to permit the preparation of accounts and reliable financial and statistical\n    reports...\xe2\x80\x9d\n\n    Statement of Federal Financial Accounting Concepts No.1, Objectives of Federal Financial Reporting, paragraph\n    163 states, \xe2\x80\x9cFinancial reports should be consistent over time; that is, once an accounting principle or reporting\n    method is adopted, it should be used for all similar transactions and events unless there is good cause to change.\xe2\x80\x9d\n\n    OMB Circular No. A-136, Financial Reporting Requirements, section II.4.9.34, discusses the required financial\n    statement note that explains the differences between the SBR and the Budget of the United States Government.\n    \xe2\x80\x9cAt a minimum, agencies should display the material differences for comparable line items related to budgetary\n    resources, obligations, distributed offsetting receipts and outlays.\xe2\x80\x9d\n\n    We recommend that the Chief Financial Officer (a) implement procedures to require that OCFO staff reconcile\n    the amount of distributed offsetting receipts reported on DOL\xe2\x80\x99s quarterly SBR to distributed offsetting receipts\n    reported on Treasury\xe2\x80\x99s Quarterly Distributed Offsetting Receipts by Department Report, (b) ensure that OCFO\n    personnel perform a more detailed review of all financial information in the Performance and Accountability\n    Report (PAR) including financial statements, notes, supplementary information, and supplementary stewardship\n    information, (c) complete the quarterly reconciliations of the SBR to SF-133, including the completion of\n    documented supervisory reviews over these reconciliations, by a certain date that facilitates timely identification\n    and correction of potential SBR misstatements. and (d) update DLMS to include guidance for DOL supervisors\n    to follow during their financial statement reviews, including procedures for comparing financial data reported on\n    the different statements and notes to ensure accuracy and consistency.\n\n    Management\xe2\x80\x99s Response: We believe that this finding overstates certain facts, and that the actual events that\n    occurred do not warrant issuance of a significant deficiency. The quarterly and year-end financial statements are\n    subjected to a draft and final submission process, and it is normal and appropriate for various analyses and\n    reviews of draft financial statements to result in subsequent corrections and adjustments in the finals. At year-\n    end, due to the tight deadlines for submission of the audit and year-end statements, the OCFO\xe2\x80\x99s reviews of the\n    draft financial statements typically overlap with those of the auditors, and we believe it overstates the facts to\n    conclude that our processes would not have detected many of the issues identified in this finding. The OCFO has\n    the right to make corrections to draft financial statements until the final opinion is issued by the independent\n    auditors. Furthermore, the auditor was made aware of all corrections to financial statements in all drafts\n    submitted.\n\n    In regards to the offsetting receipts, OCFO does not concur with the auditor\xe2\x80\x99s statement that reconciliations of\n    distributed offsetting receipts are not performed and does not believe there were any delays in the financial\n    reporting process caused by this issue. The $197 million understatement was a result of the attempt to verify and\n    reconcile FMS reported amounts to amounts recorded in DOL\xe2\x80\x99s general ledger. The understated amount quoted\n    for June 30, 2009 is incorrect, a fact that the OCFO determined by subsequent reconciliation to the amount\n    reported on the FMS website. FMS subsequently changed the amount reported for June 30, 2009. We also note\n\n\n164\xc2\xa0\xc2\xa0\xc2\xa0United\xc2\xa0States\xc2\xa0Department\xc2\xa0of\xc2\xa0Labor\xc2\xa0\n\x0c                                                                                        Independent\xc2\xa0Auditors\xe2\x80\x99\xc2\xa0Report\xc2\xa0\n                                                                                                                       \xc2\xa0\n                                                                                              Significant\xc2\xa0Deficiencies\xc2\xa0\n                                                                                                              Exhibit\xc2\xa0I\xc2\xa0\n                                                                                                                       \xc2\xa0\n                                                                                                                       \xc2\xa0\nthat OCFO was not made aware that FMS had established a website for distributed offsetting receipts until after\nthe June 30, 2009 unaudited interim statements were submitted to OMB.\n\nAs to the other matters mentioned by the auditors: (1) OCFO was aware of a discrepancy in unobligated balances\nbut did not include changes to draft financial statements until it was able to sufficiently investigate the cause and\naccurately quantify the adjustment required; (2) the proposed changes for the Statement of Social Insurance were\nprovided to the auditor in May 2009, and the related disclosures were included in subsequent draft financial\nstatements; (3) intra-departmental transfers were originally recorded in accordance with the SF 132 presentation,\nand were corrected after consultation with OMB to insure proper treatment; and (4) OCFO believes that entire\namount of distributed offsetting receipts was not material and, accordingly, Note 18D as presented in the original\ndraft was in accordance with OMB guidance. OMB Circular No. A-136, as cited by the auditors, only requires\ndisclosures of material differences.\n\nWhile we do not concur with the auditor\xe2\x80\x99s description of the facts or their resulting conclusions, we do\nacknowledge that the time frames for financial reporting, especially at year end, put significant pressure on those\ninvolved in preparation and review of the financial statements. We agree that enhancing certain processes, and\nchanging the frequency and/or timing of certain reconciliations, would alleviate some of the pressure and\nimprove timeliness. Therefore, we will review existing procedures utilized in the preparation and review of\nquarterly and year-end financial statements, including the footnotes, and will identify areas in need of\nimprovement. We will also look at the numerous reviews and reconciliations currently performed by the OCFO\nand other agencies, and will consider the need for increased frequency and stepped up time frames. Revised\nprocedures will be developed and implemented accordingly, and will be updated in the DLMS if necessary by\nJune 30, 2010.\n\n\nAuditor Response: Although the OCFO stated that it does not concur with our comments, the OCFO will be\ntaking steps to address our recommendations. Therefore, we consider these recommendations resolved and\nopen. FY 2010 audit procedures will determine whether these recommendations have been adequately addressed\nand can be considered closed.\n\n\n\n\n                                                                  FY\xc2\xa02009\xc2\xa0Performance\xc2\xa0and\xc2\xa0Accountability\xc2\xa0Report\xc2\xa0\xc2\xa0\xc2\xa0165\n\x0c'